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This document is DIS’ recommended method for implementing a Windows Server 2012 
and Active Directory within a K12 network. 


WINDOWS SERVER 2012 R2 REQUIREMENTS 


Component 


Processor 


Memory 


Available Disk 
Space 


Drive 


Display and 
Peripherals 


Requirement 


e Minimum: 1.4GHz (x64 processor) 
e Recommended: 2GHz or faster 


Note: Processor performance depends not only on the clock frequency 
of the processor, but also on the number of processor cores and the 
size of the processor cache 


e Minimum: 512 MB RAM or greater 
e Recommended: 6GB RAM or greater 
e Maximum (64-bit systems): 4TB (Standard and Datacenter editions) 


e Minimum: 32GB or greater 
e Recommended: 80GB or greater 


Note: Servers with more than 16GB of RAM will require more disk 
space for paging, hibernation, and dump files 


DVD-ROM drive 


e Super VGA (800 x 600) or higher-resolution monitor 
e Keyboard 

e Microsoft Mouse or compatible pointing device 

e Internet Access 
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PRE-INSTALLATION REQUIREMENTS 


e Microsoft Windows Server 2012 R2 DVD (with Service pack IF applicable). 

e 1NAT IP Address. 

e Public IP address (IF applicable). 

e Floppy Disk, USB Drive, CD/DVD containing your SCSI/RAID drivers. 
INSTALLATION 


1. Insert the Windows 2012 Server installation DVD into the drive. 


2. Restart the computer and boot to the DVD-ROM. Wait for Setup to display a 
dialog box. 


3. Insert the appropriate Windows Server 2012 installation media into your 
DVD drive and reboot the computer/server. 


4. When prompted for an installation language and other regional options, 
make your selection and press Next. 


F Windows Setup Ar 


EE Windows Server2012 R2 


Language to install: |English (United states) 
Time and currency format: [English (United States) td 


Enter your language and other preferences and click "Next" to continue. 
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5. Next, press Install Now to begin the installation process. 


6. Select the proper edition of Windows Server 2012 R2 that is to be installed 
and press Next. 


® EA Windows Setup 


Select the operating system you want to install 


Operating system i Ean i | Architecture 
Windows Server 2012 R2 Standard Evaluation (Server Core Installation) x64 


Windows Server 2012 R2 Standard Evaluation (Server with a GUI) 8 

Windows Server 2012 R2 Datacenter Evaluation (Server Core Installation) x64 8/22/2( 

Windows Server 2012 R2 Datacenter Evaluation (Server with a GUI) x64 8/22/2( 

< > 
Description: 


This option is useful when a GUI is required—for example, to provide backward compatibility for an 
application that cannot be run on a Server Core installation. All server roles and features are 
supported. You can switch to a different installation option later. See "Windows Server Installation 


Options." 


7. Read and accept the license terms by clicking to select the checkbox and 
pressing Next. 
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8. Inthe "Which type of installation do you want?" window, click the only 
available option — Custom (Advanced). 


Which type of installation do you want? 


Upgrade: Install Windows and keep files, settings, and applications 
The files, settings, and applications are moved to Windows with this option. This option is only 
available when a supported version of Windows is already running on the computer. 


Custom: Install Windows only (advanced) 
The files, settings, and applications aren't moved to Windows with this option. If you want to 
make changes to partitions and drives, start the computer using the installation disc. We 


recommend backing up your files before you continue. << 


` 


Help me decide 


9. Select the disk that Windows Server 2012 R2 will be installed on and then 
click New to create a partition. 


Where do you want to install Windows? 


Name Total size | Free space | Type 


2. ites Unallocated Space: 225 dooce 


AREE 


+ Refresh Pas Delete 


@® Load driver 2R Extend 
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10. Inthe “Size:” entry box, enter the size of the partition and press Next. 


**The size format is in megabytes. GB * 1024 = Size to be entered. 


fs Delete ff Format aye New 


ot Extend Size: [10249] = MB Apply “Cancel 


pa 


Next 


You will see the following screen while the installation files are copied to the server. 
The server will reboot to complete the installation (leave media inserted). 


11. Once the server has completed the setup, it will notify you that the password 
needs to be set. This password MUST meet Microsoft password complexity 
requirements. It will require a minimum password length of 7 characters and 
three out of the four following: 


a. Upper Case 

b. Lower Case 

c. Numbers 

d. Special Characters 


12. Once the password is successfully changed, the server will login to the initial 
desktop and Server Manager will start up automatically. 
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SERVER INITIAL CONFIGURATION 


1. On the Server Manager screen, click on Local Server. 
2. Activate Windows and insert key. 

3. Change Computer name. 

4. Set Time zone. 


5. Configure Networking and change to Static IP and disable IPv6 by unchecking the 
option for TCP/IPv6. 


6. Enable Windows Updates. 


7. Download and Install updates. 


8. Turn off IE Enhanced Security Configuration for Administrators only. 


hs 
Server Manager * Local Server Manage Tools View 
fe PROPERTIES 
iz a For WIN-SSN7HMD9583 TASKS 


L 
= e WIN-SSN7HMD9583 dates Never 
Wi All Servers W up WORKGROUP V Not configured 
ig File and Stor: ge Services > L Never 
Firewall Public: On off 
Enabled Cc am Not participating 


Disabled] << E On 
Disabled > (UTC-08:00) Pacific Time (US & Canada) 
IPv4 address assigned by DHCP, IPv6 enabled p 00183-90000-00001-AA422 (activated) 


tandard Evaluation 


EVENTS 


All events | 4 total 


p =- A) ~ 


Server Name ID Severity Source Log Date and Time 


WIN-SSN7HMD9583 10149 Warning Microsoft-Windows-Windows Remote Management System 4/11/2013 12:35:02 PM 


WIN-S5N7HMD9583 7023 Error Microsoft-Windows-Service Control Manager System 4/11/2013 12:34:45 PM 
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DISABLE IPV6 VIA REGISTRY EDITOR 


**Recommended To Be Done 
1. Open the Registry Editor by moving your mouse over the bottom-right or top- 
right corner of the screen. Click on the Search button (magnifying glass), type 
REGEDIT and press Enter 
2. Expand the following Key Structure in the Registry Editor: 


HKEY_LOCAL_MACHINE 


|---System 
| ---CurrentControlSet 
|---Services 
|---Tcpip6 


|---Parameters 
3. Right-Click on the Parameters Key and click New > DWORD (32-Bit) Value. 
4. Type in the name DisabledComponents and press Enter. 


5. Double-click on the newly created key and enter ffffffff (8 f’s) for the value data 
in Hexadecimal mode. 


6. Close the Registry Editor. 


File Edit View Favorites Help 
b p storvsc Name Type Data 
J storvsp ab) (Default) REG_SZ 
dob svsve ito] Dhcpv6DUID REG_BINARY 00 01 00 01 19 18 b7 77 00 0c 29 b2 4f c2 
bo jy swenum REG_DWORD Oxfftfffff (4294967295) 
po swprv 
b p SysMain 
b my TapiSrv 
>» J) Tepip 
a- Jù TCPIP6 
J Linkage 
b J Parameters 
J} TCPIP6TUNNEL 
B tcpipreg 
J TCPIPTUNNEL 
Ji tdx 
p terminpt 
b p TermService 
b B Themes 
p- Jù THREADORDER 
p TPAutoConnSvc 
b-i TPM 
Ji TPVCGateway 


< m 


Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentC ontrolSet\Services\TCPIP6\Parameters 
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DISABLE WINDOWS FIREWALL 


1. Open up Windows Firewall with Advanced Security by moving your mouse over 
the bottom-right or top-right corner of the screen. Click on the Search button 
(Magnifying glass), type Firewall and press Enter. 


2. Inthe middle of the screen you will find an “Overview” section, at the bottom of 
this section click Windows Firewall Properties. 


File Action View Help 


e |E] 


P Windows Firewall with Advance Windows Firewall with Advanced Security on Local Computer 


E Inbound Rules 

E3 Outbound Rules 

Ba: Connection Security Rules 
b & Monitoring 


Pg Windows Firewall with Advanced Security provides network securnty for Windows computers. 


Overview 

Domain Profile 

@ Windows Firewall is on. 

98 Inbound connections that do not match a rule are blocked. 
v] Outbound connections that do not match a rule are allowed. 


Private Profile 

@ Windows Firewall is on. 

9 Inbound connections that do not match a rule are blocked. 
© Outbound connections that do not match a rule are allowed. 


Public Profile is Active 

@ Windows Firewall is on. 

9 Inbound connections that do not match a rule are blocked. 
@ Outbound connections that do not match a rule are allowed. 


E Windows Firewall Properties 


Getting Started 
Authenticate communications between computers 


Create connection security rules to specify how and when connections between computers are authe 
protected by using Intemet Protocol security (IPsec). 


E Connection Security Rules 


View and create firewall rules 
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3. Turn off the Firewall state for Doman Profile and Private Profile. 


Domain Profile | Private Profile | Public Profile | IPsec Settings | 


behavior a computer is connected to its corporate 


On (recommended) v 
Allow (default) v 


Protected network connections: 


Settings 
7... Specify settings that control Windows s 
ý= | Firewall behavior. 


Logging 


-E 


**it is highly recommended that the Firewall be enabled on DIS Router if you are not 
using a third-party firewall. If you do not have any firewall appliance, you may wish to 


leave the windows firewall enabled. Adjust the scopes of the Inbound/Outbound rules 
to meet application requirements. 
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DOMAIN SERVICES AND ACTIVE DIRECTORY SETUP 


**Before starting this section, make sure that your server has a statically assigned IP 
address and that the DNS IP Address in the TCP/IP settings are pointing to itself. 


We do not have to pre-install the DNS Server Role or pre-create our DNS Zone. When 
the Active Directory Domain Services Role is installed the DNS Server Role will be 
automatically installed and configured with the DNS zone specified during the Active 
Directory installation. 


1. 


2. 


9. 


Launch Server Manager. 


Click Manage and then select Add Roles and Features. 


Manage Tools View Help 


Add Roles and Features 


Remove Roles and Features 


Add Servers 


Never Create Server Group 


Not config Server Manager Properties 
Never 


Off 

Not participating 

ion On 
(UTC-08:00) Pacific Time (US & Canada) 
00183-90000-00001-AA422 (activated) 


ent Prograr 


On the Before You Begin screen, click Next. 


On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


On the Select Destination server screen, click Next. 

Check the box to the left of Active Directory Domain Services. 

On the Add Roles and Features Wizard dialogue box, click Add Features. 
Click Next for rest of the screens, and then click Install. 


When the installation is finished, click Close. 
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10. Promote the Server to be a Domain Controller by clicking the Notifications 
icon (Flag Icon) and then selecting Promote this Server to a Domain 
Controller. 


Manage 


A Post-deployment Configura.. 


juired for Active Directory Domain 


Promote this server to a domain controller j 


Ao Feature installation 


Manageabili 
Configuration required. Installation succeeded on Events 
Services 


Add Roles and Features 
Performance 


Task Details BPA results 


11. On the Deployment Configuration screen, select Add a new forest. Type the 
DNS name for the new domain in Root Domain Name and click Next. 


**DIS recommends you type your abbreviated school district name followed 
by .local e.g. school.local. DO NOT end your domain name with .com, .net, 
.org, .edu, or any other domain names that are resolvable on the internet. 


**This domain name is for INTERNAL resolution only. 


**This step and those following assume this is the first Domain Controller in 
a new domain, tree and forest. 


12. For the Forest Functional Level and the Domain Functional Level, select 
Windows Server 2012 and click Next. 


**If any previous versions of Windows Server Operating (2003 or 2008 R2) 
are present in the domain or will be introduced as Domain Controllers, 
select the corresponding Forest and Domain Functional level. 
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TARGET SERVER 
2012-DC1 


Select functional level of the new forest and root domain 


Forest functional level: Windows Server 2012 R2 X 


Domain functional level: Windows Server 2008 


Specify domain controller capabilities Windows Server 2012 
Windows Server 2012 R2 


v| Domain Name System (DNS) server 


vi Global Catalog (GC 


Type the Directory Services Restore Mode (DSRM) password 


Password: 


Confirm password: 


More about domain controller options 


< Previous Next > Insta Cancel 


13. | Under Domain Controller Capabilities, make sure that DNS and Global 
Catalog options are selected. 


14. Under Directory Services Restore Mode (DSRM) Password, enter in a 
complex password that is UNIQUE to this server and is NOT your 
administrator password and click Next. 


15. On the DNS Options screen click Next. 


**Ignore the Parent zone delegation warning on top of the screen. It will be 
created during initial AD installation. 


16. On the Additional Options screen click Next. 
17. On the Location for Database, Log Files and SYSVOL screen click Next. 
18. On the Review Options screen click Next. 


19. On the Prerequisites Check screen, review warnings and errors if any. Click 
install to start Domain Controller promotion. 
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20. When the Active Directory installation finishes, the computer will 


automatically restart. 
ADDITIONAL DNS CONFIGURATION 


REVERSE LOOKUP ZONES 


21. Log into the server when the server has completely booted back up. 


22. Launch Server Manager, click on Tools and select DNS from the drop down 


list. 


File and Storage 
Services 


Manageability 
Events 
Services 
Performance 


BPA results 


Manage Tools View Help 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 

Active Directory Users and Computers 

ADSI Edit 

Component Services 

Computer Management 

Defragment and Optimize Drives 

DNS 

Event Vag 

Group Policy Management 

iSCSI Initiator 

Local Security Policy 

ODBC Data Sources (32-bit) 

ODBC Data Sources (64-bit) 

Performance Monitor 

Resource Monitor 

Security Configuration Wizard 

Services 

System Configuration 

System Information 


Task Scheduler 


23. Expand your server name, right-click on Reverse Lookup Zones and click New 


Zone. 


24. On the Zone Type screen, take the defaults and click Next. 


25. For the Active Directory Zone Replication Scope, select To all DNS Servers 
running on domain controllers in this domain and click Next. 


26. Select IPv4Reverse Lookup Zone and click Next. 
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27. For the reverse zone name, enter the first two/three octets of your IP range 
and click Next. 


**/f IP range spans multiple “class C subnets” ONLY enter the first two 
octets e.g. if the IP range is 10.10.0.0 to 10.10.1.255, then you would only 
enter 10.10 

28. On the Dynamic Update screen, take the default and click Next. 


29. Click Finish to create the new zone. 


**Steps 23 through 26 must be completed for Public and Private IP subnets being used 
in the Active Directory environment. 


STALE RECORD SCAVENGING 


30. Within the DNS Manager, right-click on your DNS server and click Set 
Aging/Scavenging for All Zones. 


31. | Check the box Scavenge stale resource records and then click OK. 
32. When prompted with the Server Aging/Scavenging Confirmation box, check 
the Apply these settings to the existing Active Directory-integrated zones 


option and then click OK. 


**Steps 30 and 32 must be completed on each DNS server. 
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DNS FORWARDERS 


By setting the DNS Forwarders to DIS’ DNS servers, your server will not have to perform 
a full DNS resolution of a requested domain name. Rather, it will query the DNS servers 
at DIS for the specified DNS entry and, if cached, the DIS DNS servers will return the 
results from its local cache. If the DIS DNS Server does not have the result in its cache, it 
will perform the full lookup of the DNS Name, and return the results to your DNS server 
to be delivered to your client. 


With Windows Server 2012, should the DIS DNS Servers become unavailable, your DNS 
server will default to use the DNS Root Hint servers on the Internet for DNS resolution. 


33. Within the DNS Manager, right-click your server and click Properties. 
34. Click the Forwarders tab and then click the Edit button. 

35. Enter your DIS DNS servers as specified below and click OK. 

36. Click Apply and then OK. 


37. Close the DNS Manager. 


DNS Resolvers for Central Arkansas 


DNS = 170.94.156.195 (resolver1.state.ar.us) 
DNS = 170.94.156.196 (resolver2.state.ar.us) 


DNS Resolver for Northwest Arkansas 
DNS = 66.204.1.66 (dns4.state.ar.us) 
DNS Resolver for South Arkansas 
DNS = 66.204.193.26 (dns5.state.ar.us) 


List the server in your area as the primary DNS resolver. For redundancy purposes, list 
an alternate DNS resolver in another part of the state. 
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DHCP INSTALLATION AND CONFIGURATION 


1. Launch Server Manager. 


2. Click Manage and then select Add Roles and Features. 


Manage Tools View Help 


Add Roles and Features À 
Remove Roles and Features 


Add Servers 
iar Create Server Group 
Not configu Server Manager Properties 
Never =| 
Off 
ent Program Not participating 
ion On 


(UTC-08:00) Pacific Time (US & Canada) 
00183-90000-00001-AA422 (activated) 


3. | On the Before You Begin screen, click Next. 


4. On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. On the Select Destination server screen, click Next. 


6. On the Select server roles screen, select the DHCP Server role, click on Add 
Features and click Next. 


7. Click Next for rest of the screens, and then click Install. 
8. When the installation is finished, click Close. 


9. Configure the DHCP Server installation by clicking the Notifications icon (Flag 
Icon) and then selecting Complete DHCP configuration. 
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A Post-deployment Configura... 
Configuration required for DHCP Server at WIN-DC1 


Complete DHCP configuration 


i) Feature installation 


Configuration required. Installation succeeded on 
WIN-DC1.SCHOOL.LOCAL. 


Add Roles and Features 
Performa 


Task Details BPA resul 
10. On the Description screen click Next. 
11. On the Authorization screen, click Commit. 


12. Now that DHCP Server role has been installed, we will configure it in DHCP 
Manager by clicking on Tools and selecting DHCP from the drop down list. 


Manage Tools View Help 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 
Active Directory Users and Computers 
ADS! Edit 
Component Services 
422 | Computer Management 
Defragment and Optimize Drives 
DHCP 
Tons 


Event Viewer 


Group Policy Management 
iSCSI Initiator 
Local Security Policy 
ODBC Data Sources (32-bit) 
ODBC Data Sources (64-bit) 
= Performance Monitor 
Resource Monitor 
Security Configuration Wizard 
Services 
System Configuration 
System Information 
Task Scheduler 


13. Expand the server node and IPv4 node until you see Server Options, Policies. 
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14. Right click on IPv4 and select New Scope. 


15. On the Scope Name screen enter the Scope name and description you want 
to use for this scope e.g. IP NAT POOL 


16. On the IP Address Range screen type in the starting and ending IP address 
for this scope along with the subnet mask. This is the range of IP addresses 
this DHCP server will be issuing. Click Next. 


**]t is recommended to leave a few numbers at the start of the scope for 
static assignment e.g. if the IP range is 10.10.10.0 - 10.10.11.255 enter 
10.10.10.51 for the Starting IP Address and 10.10.11.254 for the Ending IP 
Address to leave 50 IP’s at the beginning of your IP range for static 
assignment. 


17. On the Exclusion screen enter the IP addresses you want to be excluded from 
the DHCP range defined in the previous step and then click Next. 


18. On the Lease time screen take the default values unless required otherwise 
and Click Next. 


19. On the Configure DHCP options screen select No, I will configure these 
options later and click Next and then Finish to close the wizard. 


20. Right click Server Options and select Configure Options. From the list 
opened select the following options: 


- 003 Router --- Gateway Address for devices 

- 006 DNS Server --- On premises DNS Servers typically DCs 
- 015 DNS Domain Name --- Domain name e.g. school.local 

- 044 WINS/NBNS Server --- On premises WINS Servers 

- 046 WINS/NBT Node Type --- Recommended to be configured as 0x8 


21. Right-click IPv4 and select Properties. Under the Advanced tab, for Conflict 
Detection Attempts, change this value to 3. 


22. Also, under Advanced tab click on the Bindings button and verify that the 
only network adapter checked is the adapter that is on the same subnet the 
DHCP server will be serving IP addresses for. 


23. Once all the settings are done, right click on the newly created scope and 
select Activate for the DHCP server to start giving out IP numbers. 
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WINS INSTALLATION AND CONFIGURATION 


1. Launch Server Manager. 


2. Click Manage and then select Add Roles and Features. 


Manage Tools View Help 


x Add Roles and Features X 
Ri 


emove Roles and Features 


Add Servers 
Tam Create Server Group 
Not configy Server Manager Properties 
Never =| 
Off 
ent Program Not participating 
ion On 


(UTC-08:00) Pacific Time (US & Canada) 
00183-90000-00001-AA422 (activated) 


3. | On the Before You Begin screen, click Next. 


4. On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. On the Select Destination server screen, click Next. 
6. Onthe Select server roles screen, click Next. 


7. | Onthe Select features screen, select WINS Server, click on Add Features and 
then click Next and then click Install. 


8. Add the WINS IP addresses to each respective network cards in all servers. 


9. If multiple WINS servers are being deployed, they need to be added as 
replication partners under WINS manager. 


10. Open up WINS Manager by selecting Tools in the Server Manager and then 
selecting WINS from the drop down list. 
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11. Expand the respective WINS Server and click on Replication Partners. 
12. Right-click Replication Partners and select New Replication Partner. 


13. Enter the respective server name that will be replicating with this WINS 
server and close WINS manager. 


** Steps 12 and 13 needs to be repeated for all WINS servers in the domain. 
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WINDOWS SERVER UPDATE SERVICES (WSUS) 


Microsoft Windows Server Update Services (WSUS) enables information technology 
administrators to deploy latest Microsoft product updates to systems running Microsoft 
products. By using Windows Server Update Services, you can fully manage the 
distribution of updates that are released through Microsoft Update to computers in 
your network. 


For Windows Server 2012, WSUS requires the following: 
e Atleast Microsoft Internet Information Services (IIS) 6.0 
e Atleast Microsoft .Net Framework 2.0 


e WSUS 4.0 Management Console requires at least Windows 8 
e 1GB of free space on system partition. 


**You will want to have a WSUS server at each physical site that is behind a router. 


The reason is that you do not want to have computers go across the WAN connection 
to get their updates. 


CONFIGURING WSUS AFTER INSTALLATION 
1. Launch Server Manager. 
2. Click Manage and then select Add Roles and Features. 
3. On the Before you begin page, click Next. 


4. On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. On the Select Destination server screen, click Next. 
6. On the Select Server roles page, select Windows Server Update Services. 


7. Inthe Add Roles and Features dialog box that pops up, click Add Features 
and then click Next. 


8. On the Select features page, leave the default selections, and then 
click Next. 


**W/SUS only requires the default Web Server role configuration. If you are 
prompted for additional Web Server role configuration while setting up 
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WSUS you can safely accept the default values and continue setting up 
WSUS. 


9. On the Windows Server Update Services page, click Next. 


10. On the Select Role Services page, leave the default selections unless an 
external SQL Server database is being used, and then click Next. 


DESTINATION SERVER 


Select role services WIN-DC1 schooLocal 


Before You Begin Select the role services to install for Windows Server Update Services 
Role services Description 
I lis th y V 
WID Database nstalls the database used by WSUS 
into WID. 
WSUS Services 


Database 


< Previous nstal Cancel 


11. On the Content location selection page, type a valid location to store the 
updates e.g. D:\WSUS and then click Next. 


**You must have at least 200GB of free disk space, on the volume selected 
to store updates locally. 


12. On the Web Server Role (IIS) page, click Next. 


13. On the Select role services page, leave the default selections, and then 
click Next. 


14. On the Confirm installation selections page, review the selected options, 
and then click Install. 


15. On the Installation progress page, make sure that the installation succeeded, 
and then click Close. 


16. Now that WSUS role is installed, it will be configured by clicking on Tools and 
selecting Windows Server Update Services from the drop down list. 
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17. On the Complete WSUS Installation dialog box appears, click Run. 


The locally hosted WSUS Server requires additional steps in order to complete 
the installation. WSUS post-installation process can run those steps for you. 
Would you like to run it now? 


Store updates locally 
Content directory path: |C:\WSUS 


po Run 


18. In the Complete WSUS Installation dialog box, click Close when the 
installation successfully finishes. 


19. The Windows Server Update Services Wizard appears and on the Before you 
Begin page, click Next. 


20. Read the instructions on the Join the Microsoft Update Improvement 
Program page and evaluate if you want to participate or not. If you do not 
want to participate, Uncheck the box and click Next. 


21. On the Choose Upstream Server page, select Synchronize from Microsoft 
Update and click Next. 


**If you are synchronizing from another WSUS server from within the 
district, be sure to enter the proper port number that WSUS is running on 


remotely. 


22. On Specify Proxy Server settings, leave the default values, unless these 
settings are required for your environment and then click Next. 


23. On the Connect to Upstream Server, click Start Connecting to retrieve the 
current updated list of products available. 


24. When the initial product file download is completed, click Next. 


25. On the Choose Languages page, Verify that English is the ONLY selected 
language and then click Next. 


26. On the Choose Products page, choose the Microsoft products running in 
your environment that will require updates and click Next. 
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27. On the Choose Classifications page, it is recommended to select everything 
EXCEPT Drivers and click Next. 


28. On the Set Sync Schedule page, select Synchronize automatically and set 
this to off-peak usage hours e.g. 11:00pm and then click Next. 


29. Click Finish on the next screen to complete the configuration wizard. 


30. On the Update Services management console screen, expand your WSUS 
Server and click Options. 


31. In the Options pane, select Update Files and Languages. Uncheck the 
Download update files to this server only when the updates are approved 
and click OK. 


Update Files | Update Languages | 


=f You can specify where to store update files. Storing files locally requires 
=] sufficient disk space. 


@ Store update files locally on this server 


Download update files to this server only when updates are approved 


Download express installation files 


Express installation files provide faster download and installation on 
computers, but are larger and will increase download times for your 
server. 


© Do not store update files locally; computers install from Microsoft Update 


Note: Saving file and language settings may take several minutes. During this 
time, computers cannot receive updates and other settings cannot be saved. 


Cancel 


**If you choose to manually approve updates, your workstations will not 
have to wait until after the next WSUS Sync with Microsoft to get the 
updates. 

32. In the Options pane, select Automatic Approvals. 


33. Select the Default Automatic Approval Rule and click Edit. 


34. In the Step 2 box, click on Critical Updates, Security Updates. 
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E) Select which updates to approve and the groups for which to approve them. 
Step 1: Select properties 
v 


When an update is in a specific classification 
When an update is in a specific product 
Set a deadline for the approval 


Step 2: Edit the properties (click an underlined value) 


When an update is in Critical Updates, Security Updates 


Approve the update for all computer: 


Step 3: Specify a name 


Default Automatic Approval Rule 


Cancel 


35. Select all classification items EXCEPT drivers and click OK 
**Some districts choose not to select Feature Packs. These include items 
such as Silver Light and Desktop Search. 
36. Verify that Default Automatic Approval Rule is checked. Click Apply and OK. 


Update Rules 


Advanced 


You can specify rules for automatically approving new updates when 
oO they are synchronized. 


New Rule... Edit... XÇ Delete Run Rule 


@ Default Automatic Approval Rule 


Rule properties (click an underlined value to edit) 


Sec 


When an update is in Critical Updates. Definition Updates, Feature Packs. 
urity Updates, Service Packs, Tools, Update Rollups. Update: 
Approve the update for all computer: 
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WSUS Group POLICY 


1. Launch Server Manager. 
2. Click on Tools and select Group Policy Management from the drop down list. 
3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Group 
Policy Objects. 


5. Right-click on the Group Policy Objects and then select New. 
6. Name the new group policy WSUS Policy and click OK. 


7. Expand Group Policy Objects. Right-click the newly created WSUS Policy and 
click Edit to open the Group Policy Editor. 


8. Expand Computer Configuration > Policies > Administrative Templates > 
Windows Components and select Windows Update. 


9. Double-click on Configure Automatic Updates, change Not Configured to 
Enabled and select option 4 — Auto Download and schedule install under 


Configure automatic updating drop-down menu. 


10. Set the desired scheduled install day and time. 
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11. 


12. 


13. 


14. 


15. 


16. 


17. 


18. 


19. 


FE] Configure Automatic Updates 


Previous Setting Next Setting 


O Not Configured Comment: 


@ Enabled | 


O Disabled 


Supported on: 


Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 | 


Options: pe Help: 


Configure automatic updating: 


Specifies whether this computer will receive security updates 
4- Auto download and schedule the install v and other important downloads through the Windows automatic | _ 
2 - Notify for download and notify for install | Updating service: 

3 - Auto download and notify for install 

4 - Auto download and schedule the install 
5 - Allow local admin to choose setting 


This setting lets you specify whether automatic updates are 
enabled on this computer. If the service is enabled, you must 
select one of the four options in the Group Policy Setting: 


0- Everyday bs 2 = Notify before downloading any updates and notify again 
| 


Scheduled install time: [12:00 Refose meaning them, 


When Windows finds updates that apply to this computer, 
an icon appears in the status area with a message that updates 
are ready to be downloaded. Clicking the icon or message 
provides the option to select the specific updates to download. 
Windows then downloads the selected updates in the 
background, When the download is complete, the icon appears 
in the status area again, with a notification that the updates are 
ready to be installed. Clicking the icon or message provides the 
option to select which updates to install. 


| œ [ ‘Apply 


Click the Next Setting button to change to Specify Intranet Microsoft Update 
Services Location window. 


Change Not Configured to Enabled and in both entry boxes enter 
http://YourWsusServername:8530 and then click OK. 


Click the Next Setting button to change to Automatic Updates detection 
frequency window. 


Change Not Configured to Enabled, leave the default value for Interval 
(hours) and then click OK. 


Double-click on Allow Automatic Updates immediate installation, change 
Not Configured to Enabled and then click OK. 


Double-click on No auto-restart for scheduled Automatic Updates 
installations, change Not Configured to Enabled and then click OK. 


Double-click on Reschedule Automatic Updates Scheduled Installations. 


Change Not Configured to Enabled, change the startup (minutes) to any 
value between 1- 5 (recommended) and then click OK. 


Close the Group Policy Management Editor. 
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20. Drag and Drop WSUS Policy on the Workstations OU to link the policy to 
everything residing under Workstations. 


**/t is recommended to have a separate Group Policy for Domain Servers and Domain 
workstations to avoid automatic restart on servers. 
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Basic ACTIVE DIRECTORY STRUCTURE FOR K12 


SINGLE SITE ACTIVE DIRECTORY NETWORKS 


1. Launch Server Manager. 


2. Click on Tools and select Active Directory Users and Computers from the 
drop down list 


Manage Tools View Help 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 


File and Storage Active Directory Users and Computers 
Services ADSI Edit 
Manageability Component Services 
Eii Computer Management 
i N Defragment and Optimize Drives 
Services DNS 
Performance Event Viewer 
BPA results Group Policy Management 


iSCSI Initiator 

Local Security Policy 

ODBC Data Sources (32-bit) 
ODBC Data Sources (64-bit) 
Performance Monitor 
Resource Monitor 

Security Configuration Wizard 
Services 

System Configuration 
System Information 

Task Scheduler 


3. Right-click on YourDomain.LOCAL, click New, then Organizational Unit (OU). 
4. Enter Faculty as the name of the new Organizational Unit then click Next. 
** Uncheck the Protect container from accidental deletion box before 


selecting Next if you do NOT want to automatically protect the OU from 
being deleted or moved. 
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File Action View Help 


e| am] 4 6l XS eal bm S kiTa 


I] Active Directory Users and Comput|| Name Type Description 


b ©) Saved Queries = . CIE 
à #4 SCHOOL.LOCAL ere are no items to show in this view. 


p © Builtin 
b £ Computers 
b E Domain Controllers 
b (9) ForeignSecurityPrincipals 
p (2) Managed Service Accounts 
b (5) Users 

EB Foca] 


** Repeat Steps 2 and 3 for Organizational Units required in your Active Directory 
environment e.g. Students, Workstations, Domain Member Servers, and Custom 
Security Groups. 


File Action View Help 
e| Aml OO es| bm S t tTa 


Active Directory Users and Computers || Name Type Description 

p D Saved Queries E Builtin builtinDomain 

a [F4 SCHOOL.LOCAL| E Computers Container Default container for up... 
> E] Builtin E Custom Sec... Organizational... 
>a Computers E Domain Con... Organizational... Default container for do... 
b E] Custom Security Groups E] Domain Me... Organizational... 
>a Haasi — E] Faculty Organizational... 
p I Domain Member Servers E ForeignSecu... Container Default container for sec... 
4 Gl Faculty E] Managed Se... Container Default container for ma... 


Administration 
4 = Elementary E Students Organizational... 


b E HighSchool E Users Container Default container for up... 
b E] Technology E] Workstations Organizational... 


b ©) ForeignSecurityPrincipals 
>a Managed Service Accounts 
4 E Students 

p G 2016 

> & 2017 

b & 2018 
p ©) Users 
4 @) Workstations 

b E] Elementary 

b E Faculty 

b E] HighSchool 

b E Technology 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/14/2014 


30|Page 


Now that we have our basic OU structure setup, we need to create our security groups. 
It is best to use security groups to assign permissions rather than assigning permissions 
to network shares using individual accounts. It is much easier to find where someone is 
getting incorrect access to something if access to files and shares is based off of security 


groups. 
5. Right-click on the Custom Security Groups OU then click New Group. 


6. Name this group Faculty and click OK. 


R, Create in: © SCHOOL.LOCAL/Custom Security Groups 


Group name: 


Group name (pre-Windows 2000): 
Faculty 


Group scope Group type 
O Domain local @ Security 
@ Global O Distribution 


© Universal 


[ «| 


**Repeat Steps 4 and 5 for all Custom Security Groups required in your Active 
Directory environment e.g. Students, Journalism, YearBook, and Technology etc. 


**If you are running Active Directory over multiple sites (behind more than one 
router), you would want to create an OU for each site, place Workstations, Faculty, 
and Students OU’s under that Site OU. You can delegate campus level technicians to 
be able to have the authority to maintain user accounts, computer accounts, etc. that 
reside only in their campus’ OU. 
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CREATE SHARES AND HOME DIRECTORIES 


The first thing we need to do before we can create our user template is to create a 
network share for the home directories. 


10. 


11. 


Open Computer and browse to the volume that will hold the faculty 
home-directories. 


**]t is recommended that Faculty and Student Home folders be stored 
on individual volumes. Do not place them on the same volume or on the 
DATA volume. 

Create a new folder called Faculty-Homes. 

Right click on the Faculty-Homes folder and click Properties. 

Select on the Sharing tab and click the Advanced Sharing button. 

Select the Share this folder check box. 

For the share name type Faculty-Homess. 

**When sharing folders or drives with Windows, if a dollar sign ($) 
character is added to the end of a share name, the share name does not 
appear in a browsed list of available shares on the server. 

Click on the Permissions button. 

Select Everyone and click Remove. 

Click Add. In the name box enter Domain Admins, Administrators, 
Faculty, and each separated by a semi-colon. Click the Check Names 
button and then click OK. 

**If a name or group is misspelled or not found in the Directory, you will 
be prompted to correct the spelling or to distinguish the proper group, 
should the same text exist within multiple groups. 


Give Domain Admins and Administrators both Full Control. 


Give the Faculty group Change rights, they will receive Read 
automatically. 
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12. Click on the Caching button. Select No files or programs from this 
shared folder will be available offline. 


**Unless required, it is NOT recommended to allow offline file-caching 
for any network shares as these files will be synced at every log off for 
every user using the share. 


13. Click OK, Apply, and then OK until all property windows are closed. 


14. Select the Security tab and click the Advanced button. 


General | Sharing Security | Previous Versions Customize | 


Object name: C:\Faculty-Homes 


Group or user names: 

&, SYSTEM 

&, Administrators (SCHOOL\Administrators) 
&, Users (SCHOOL\Users) 


To change permissions, click Edit. 


Permissions for CREATOR 
OWNER 

Full control 

Modify 

Read & execute 

List folder contents 


For special permissions or advanced settings, 
click Advanced. 


Leam about access control and permissions 


15. On the Advanced Security Settings page, click on Disable inheritance. 


**By Default all folders created have “Inheritance” turned on which 
means that the folder inherits its rights from its parent folder. The 
easiest way to distinguish this is to notice that the Allow or Deny 
selection boxes will be grayed out for a user or group that is getting 
rights through inheritance. 
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Name: C:\Faculty-Homes 


Owner: Administrators (SCHOOL\Administrators) a Change 


Permissions Share Auditing | Effective Access | 


For additional information, double-click a permission entry. To modify a permission entry, select the entry and click Edit (if available). 


Permission entries: 


Type Principal Access Inherited from Applies to 
&, Allow SYSTEM Full control CA This folder, subfolders and files 
&, Allow Administrators (SCHOOL\Ad.., Full control CA This folder, subfolders and files 
R, Allow Users (SCHOOL\Users) Read & execute cA This folder, subfolders and files 
R, Allow Users (SCHOOL\Users) Special CA This folder and subfolders 
Sè, Allow CREATOR OWNER Full control CA Subfolders and files only 


Add Remove 


Disable inheritance 


Replace all cid object permission entries with inheritable permission entries from this object 


OK 


16. A dialog box prompting that permission inheritance from the parent 
folder is being blocked will popup. 


17. Select Convert inherited permissions into explicit permissions on this 
object. 


A What would you like to do with the current inherited permissions? 


You are about to block inheritance to this object, which means that permissions 
inherited from a parent object will no longer be applied to this object. 


+ Convert inherited permissions into explicit permissions on 
; g this object. 


> Remove all inherited permissions from this object. 


18. Click Apply and then OK to return to the Faculty-Homes Properties 
screen. 


19. Your permissions to Faculty-Homes should now look like the following 
screen. 
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20. Click on Edit button and remove all Groups from the list except 


General | Sharing | Securty | Previous Versions | Customize 


Object name: C:\Faculty-Homes 


Group or user names: 


"SCREATOR OWNER 
{è SYSTEM 
&, Administrators (SCHOOL \Administrators) 
G2, Users (SCHOOL\Users) 


To change permissions, click Edit. 


Pemnissions for CREATOR 
OWNER 


Full control 

Modify 

Read & execute 
List folder contents 
Read 

Write 


For special permissions or advanced settings, 
click Advanced. 


Leam about access control and permissions 


Administrators group. 


21. Click on Add, enter Domain Admins and click OK. 


22. Click on Domain Admins, then under Permissions for Domain Admins 


check Full Control under Allow section. Click Apply and OK. 


General | Sharing | Securty | Previous Versions I Customize 


Object name: C:\Faculty-Homes 


Group or user names: 


“A Domain Admins (SCHOOL\Domain Admins) 


&, Administrators (SCHOOL\ Administrators) 


To change permissions, click Edit. 


Permissions for Domain Admins 


Full control 

Modify 

Read & execute 
List folder contents 
Read 

Write 


For special permissions or advanced settings, 
click Advanced. 


Leam about access control and permissions 
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CREATING USER TEMPLATE 


Now that the network share to store home directories is set up, User template will be 
created using the following steps: 


23. Launch Server Manager, click on Tools and select Active Directory Users 
and Computers from the drop down list. 


24. Right click on the Faculty OU, select New, and then User. 


E] Active Directory Users and Computers [WIN-DC|| Name Type Des: 
b Saved Queries 
4 Ẹ school.local 

b ©) Builtin 

p D Computers 

b E] Domain Controllers 

b E] Domain Member Servers 


Gal Fee 


p © Fore Delegate Control... 


> ©) Mar Move... 
> i Stud Find... 
' = call New » Computer 
a Wor All Tasks » Contact 
View > Group 
Cut InetOrgPerson 
Delete mslmaging-PSPs 
Rename MSMQ Queue Alias 
Refresh Organizational Unit 
Export List... Printer 
User 
Properties 
Shared Foli 
Help | 
25. Inthe information screen fill it out as shown in this screen and then click 


Next. 


KA Create in: school local/Faculty 


First name: _Faculty 


Last name: Template 


Full name: _Faculty Template 


User logon name: 


Ftemplate| 


User logon name (pre-Windows 2000): 
SCHOOL\, 
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26. 


**An underscore before the first name places the template at top of the 
list within the Organizational Unit. 


Enter a password for the template account that meets the minimum 
password requirements. Make sure User much change password at next 
logon and Account is disabled are checked and click Next. 


**]t is recommended that a template account is ALWAYS disabled after 
creation. 


2 Create in: school Jocal/Faculty 


Password: [Seer 


Confirm password: eeeccccce 


| User must change password at next logon 


User cannot change password 


Password never expires 
[v] Account is disabled 


Now that the template account is set up, it needs to be configured for login script, home 
directory path, and make sure that this template is a member of the required security 
group(s) by following these steps: 


27. 


28. 


29. 


30. 


31. 


Right-click on the _Faculty Template account and click Properties. 

Click on the Member Of tab and then click on Add. 

In the Select Groups box, type Faculty and click Check Names. Add any 
additional security group this template needs to be a member of and 
then click OK. 


Click on the Profile tab and in the Logon Script text box, enter logon.bat 


Under the Home folder section, click the radio button next to Connect. 
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32. Select the drive letter to be used for user’s home directory when it is 
mapped. 


33. Inthe To: text box enter \\servername\Faculty-Homes$\%username% 


Remote control | Remote Desktop Services Profle | COM+ 
MemberOF |  Dialin Environment | Sessions 
General | Address | Account | Profle | Telephones | Organization 


User profile 
Profile path: 


Logon script: 


Home folder 
© Local path: 


@ Connect: È To: |\\win-dc1Yfaculty-homes$\user 


34. Click Apply and then OK. 


**The %username% in the home directory path will automatically 
change to the login id of the user. 


35. This will create a new subfolder called Ffemplate under Faculty-Homes 
folder with the proper rights. 
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CREATING NEW USER USING TEMPLATE 


To create a new account based off the template, use the following steps: 
1. Right click on the _Faculty Template account and click Copy. 


2. In the Information screen fill it out the information for the New User and 
then click Next. 


2 Create in: school Jocal/Faculty 


First name: 


Last name: 


Full name: 


User logon name: 


jdoe 


User logon name (pre-Windows 2000): 
SCHOOL 


3. | Make sure that the Account is disabled box is Unchecked when creating 
areal user account. Click Next and then Finish to complete the creation. 


A Create in: school local/Faculty 


Password: eecccccce 


Confirm password: Prriritit 


[V] User must change password at next logon 


User cannot change password 


Password never expires 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/14/2014 


39|Page 


LOGON SCRIPTS — BATCH FILE METHOD 


By default Windows does not know what shares users need access to or what drive 
letters they need to be mapped to. By creating a simple batch file logon script, this can 
be accomplished easily. All logon scripts should be saved in the 
\\DOMAINNAME\NETLOGON folder. 


A batch file is nothing more than a series of DOS commands. The main command ina 
basic batch file logon script would be the NET USE command. For instance, if you have a 
server named DC1 and it has a share name of APPS, the following command would map 
this drive as N: for the user, when the logon script runs. 

NET USE N: \\DC1\APPS 

You can use the REM to remark out anything that you type after the REM. This is helpful 
for documenting what each command is doing in your logon script. REM Statements 


MUST be on their own line. They are shown on the same line in this example. 


A logon script would look similar to the following: 


*DO NOT ADD THE REM STATEMENTS* 


LOGON.BAT 


@ECHO OFF 

NET USE N: /D REM Disconnects mapped N drive 

NET USE O: /D REM Disconnects mapped O drive 

NET USE P: /D REM Disconnects mapped N drive 

NET USE N: \\DC1\Apps /Persistent:NO REM Map Apps share on server DC1 to N 

NET USE O: \\DC1\Faculty-Apps /Persistent:NO REM Map Faculty-Apps share on server DC1 to O 
NET USE P: \\DC1\Student-Apps /Persistent:NO REM Map Student-Apps share on server DC1 to P 


REM Copy All Icon Files in Shared Folder to Users’ Desktop — Overwrite any items that are duplicates. 


Xcopy “\\server\sharename\desktopicons\*.*” “%USERPROFILE%\DESKTOP” /C /E /S /Y 


REM Start BGInfo 
%USERDNSDOMAIN%\netlogon\bginfo.exe \\%USERDNSDOMAIN%\netlogon\bginfo-settings.bgi /timer:0 
/accepteula 


REM Rename Mapped Drives in My Computer 
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Wscript.exe \\%userdnsdomain%\netlogon\rename-mapped-drives.vbs 


‘END 
EXIT 


VBScript to rename mapped network drives. Example: In My Computer from “Apps on 
‘DCT (O:)” to “Apps (O:)”. 


Before After 
SS apps on 'dc1' (N:) — Apps (N:) 
m; 229 GB free of 249 G 


Rename-Mapped-Drives.VBS 


f------ Script Start 
On Error Resume Next 


Dim UserName 


Set oShell = CreateObject("Shell.Application") 
Set objNetwork = CreateObject("WScript.NetWork") 


Username = objNetwork.UserName 
UserName = UCase(Left(UserName,1)) & LCase(Right(UserName,Len(UserName)-1)) 


mDrive = "M:" 

oShell.NameSpace(mDrive).Self.Name = Username & " - Home Directory" 
mDrive = "N:" 

oShell.NameSpace(mDrive).Self.Name = "Apps" 

mDrive = "O:" 

oShell.NameSpace(mDrive).Self.Name = "Faculty Apps" 

mDrive = "P:" 

oShell.NameSpace(mDrive).Self.Name = "Student Apps" 

mDrive = "W:" 

oShell.NameSpace(mDrive).Self.Name = Username & " - Web Space" 
mDrive = "Y:" 

oShell.NameSpace(mDrive).Self.Name = "Student Home Directories" 
mDrive = "Z:" 


oShell.NameSpace(mDrive).Self.Name = "Faculty Home Directories" 


f------ Script End 
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As you may notice, there is a section for Windows 9X Clients and a section for NT-based 
clients. NT-based clients include the Operating Systems Windows NT Workstation 4.0 
up to Windows XP, as well as Server 2003. 


We placed the following command at the beginning to check and see if what type of OS 
is on the workstation that the user is logging in with by using the OS variable built into 
NT based clients. 


IF “%OS%”==”"Windows_NT” GOTO NTClients 


Some of the other variables that are available are %LOGONSERVER%, 
%COMPUTERNAME% and %USERNAME%. These commands can be placed in the login 
script and can also be run from a DOS prompt to check the validity of your syntax. 


**All login scripts need to be placed in the NETLOGON folder 


\\DomainName\NETLOGON. Anything placed in this folder is replicated to ALL domain 
controllers. 
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IMPLEMENTING SHADOW COPIES 


CLIENT USAGE SCENARIOS 


Shadow copy usage scenarios for both client and IT administrators are relatively 
straightforward. Three common scenarios of data loss due to human error are: 


= Accidental file deletions. 
=- Accidental overwrites of a file (for example, forgot to perform ‘Save as’). 
= File corruption. 


Shadow Copies of Shared Folders provides an end user-accessible tool that restores 
documents by accessing point-in-time shadow copies of documents and folders stored 
on network shares. Local volume recovery support of an end user’s computer, for 
example, is not supported. The network file share must have the Volume Shadow Copy 
service enabled on a Windows Server 2003-based computer. 


Shadow Copies of Shared Folders is transparent to end users when they store files on 
the network file server. Only when an end user needs to replace a lost or damaged file 
with a prior version will they activate the client user interface (UI) through Windows 
Explorer. Shadow Copies of Shared Folders also enables users to see network folder 
contents at specific points in time. 


WHAT SHADOW COPIES OF SHARED FOLDERS CAN Do 


Shadow Copies of Shared Folders helps end users: 
= Recover files without assistance from the help desk 
= Recover files that were not saved using the “Saved as” command. 


= Recover files that were corrupted and not recovered with the file recovery 
capabilities of Windows XP Professional or Microsoft Office XP. 


Shadow Copies of Shared Folders creates a safety net for end users by providing an 
easily and readily available previous version of a file. In this way, Shadow Copies of 
Shared Folders helps end users to: 


= Manage their own files. 
= Fix mistakes without rebuilding the file or calling the help desk. 


= Save time and money for the business. 
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IT USAGE SCENARIOS 


The most common scenario for recovering lost or corrupted files is a request by the end 
user to the IT help desk to find an archived version. Assuming that the organization has 
an archiving system in place, this request usually means a costly and time-intensive 
search of archived media, which in many instances is a tape back-up. 

This situation creates several problems: 


= Potential loss of business agility or revenue if the lost document is time- or 
context-sensitive. 


= Increased unproductive time for end user. 


= Increased cost to help desk and IT support services. 


Shadow Copies of Shared Folders enables end users to view the contents of shared 
folders as they existed at specific points in time, and recover those files by themselves. 
This eliminates administrators having to restore accidentally deleted or overwritten 
files. Implementing Shadow Copies of Shared Folders for routine file recovery scenarios 
can help to: 


= Reduce demand on busy administrators; for example, by reducing restore-from- 
tape requests. 


Reduce the cost of recovering single or multiple files. Table 1 below presents a summary 
of how end users, IT departments, and organizations can benefit by implementing 
Shadow Copies of Shared Folders. 


Table 1: Benefits of Using Shadow Copies of Shared Folders 


Benefit End IT Company 
User Department 

Saves lost time by not having to rebuild file v v 

Empowers users to manage their own files v v 

Saves critical data and information v v 

Saves money by avoiding data loss v 

Avoids loss of revenue by retaining critical data v 

Reduces end users’ dependence on IT y v 

administrators 
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How SHADOW Copy WORKS 


The shadow copy feature in Windows Server works by making a block-level copy of any 
changes that have occurred to files since the last shadow copy. Only the changes are 
copied, not the entire file. 


As a result, previous versions of files do not usually take up as much disk space as the 
current file, although the amount of disk space used for changes can vary, depending on 
the application that changed the file. 

For example, some applications rewrite the entire file when a change is made, but other 
applications add changes to the existing file. If the entire file is rewritten to disk, then 
the shadow copy contains the entire file. Therefore, consider the type of applications in 
your organization, as well as the frequency and number of updates, when you 
determine how much disk space to allocate for shadow copies. 


**Shadow copies DO NOT eliminate the need to perform regular backups, nor do 
shadow copies provide protection from media failure. In addition, shadow copies are 
not permanent. As new shadow copies are taken, old shadow copies are purged when 
the size of all shadow copies reaches a configurable maximum, or when the number of 
shadow copies reaches 64, whichever is sooner. Therefore, shadow copies might not 
be present for as long as end users expect them to be. End user needs and 
expectations should be considered when shadow copies are configure 


A copy of the Shadow Copy Client can be downloaded for Windows XP or prior 
operating systems from the following link: 
http://www.microsoft.com/en-us/download/details.aspx?id=16220 


**Windows Vista and later have the Shadow copy client installed by default 
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IMPLEMENTING SHADOW COPIES 


1. On the server go to File manager and then select Computer. 


2. Right-click on the volume that you would like to enable Shadow Copies and 
then click Properties. 


3. Click on the Shadow Copies tab. 


4. Select the volume(s) from the list shadow copies needs to be enabled on and 


then click Enable. 


5. On the Enable Shadow Copies dialog box that pops up check Do not show 
this message again and click Yes. 


6. Click on the volume that you enabled Shadow Copies for then click the 


Settings button. 


General | Tools | Hardware | Sharing | Securty 


Shadow Copies Previous Versions | Quota 


Shadow copies allow users to view the contents of shared folders 
as the contents existed at previous points in time. For information on 
Shadow Copies, click here. 


Select a volume: 


Volume Next Run Time Shares 
G9\\7\Wol... Disabled 0 
cA 5/8/2013 7:0... 


Enable 


Shadow copies of selected volume 
5/7/2013 3:15 PM 


7. Click the Schedule button. 
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8. By default, the only two options for a snapshot are every day at 7AM and 
12PM, Mon - Friday. Adjust these schedule to meet the district’s needs or 
create a new schedule per requirement. 


1. At 7:00 AM every Mon, Tue, Wed, Thu, Fri of every week, starting 5. V 


1. At 7:00 AM every Mon, Tue, Wed, Thu. Fri of every week, starting 5/7 


Schedule Task Weekly 


Every |1 4] week(s) on: 


Show multiple schedules 


9. Click OK twice to return to the Shadow Copies Settings window. 


10. Click OK to return to Computer. 
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IMPLEMENTING VOLUME BASED QUOTA LIMITS 


VOLUME LEVEL QUOTA LIMITS USING PROPERTIES 


**Quota limits are based off of volumes. Quota limits are, when applied, are for all 
users that save data on the volume. It is recommended that volumes containing 
Faculty and Student home folders be on separate volumes. This will allow different 
quota limits on volumes. 


1. Onthe server go to File manager and then select Computer. 


2. Right click on the volume that Quota limits need to be enabled and then 
select Properties and click on the Quota tab. 


3. Check the box next to Enable Quota Management. 


General | Tools | Hardware | Sharing | Security _ il 
__ Shadow Copies | Previous Versions | Quota 


$ Status: Disk quotas are disabled 


[V] Enable quota management 
[V] Deny disk space to users exceeding quota limit 
Select the default quota limit for new users on this volume: 
D Do not limit disk usage 
©) Limit disk space to 1 


Set waming level to 950 


Select the quota logging options for this volume 


Log event when a user exceeds their quota limit 


[C] Log event when a user exceeds their waming level 


a 


Quota Entries... 


**]t is recommended to enable Deny Disk Space to Users Exceeding Quota Limit. 


4. Select the radio button next to Limit disk space to. Set the limit and warning 
level to meet district’s needs. You can set the log options to meet your 
needs. 


5. Click Apply and OK. 


To view user’s current disk utilization, click on the Quota Entries button from within the 
window. 
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DIRECTORY LEVEL QUOTA LIMITS USING FILE SERVER RESOURCE MANAGER 
INSTALL FILE SERVER RESOURCE MANAGER 
1. Launch Server Manager. 


2. Click Manage and then select Add Roles and Features. 


Manage Tools View Help 


Add Roles and Features 


Remove Roles and Features 


Add Servers 


Never Create Server Group 


Not configy Server Manager Properties 
Never 


Off 

ent Program Not participating 

ion On 
(UTC-08:00) Pacific Time (US & Canada) 
00183-90000-00001-AA422 (activated) 


3. On the Before You Begin screen, click Next. 


4. On the Select Installation type screen, select Role-based or Feature-based 
installation and click Next. 


5. On the Select Destination server screen, click Next. 


6. On the Select Server roles page expand File and Storage Services to view the 
options below. 


7. Expand File and iSCSI Services, select File Server Resource Manager. 


8. Inthe Add Roles and Features dialog box hat pops up, click Add Features and 
then click Next. 


9. Click Next for rest of the screens, and then click Install. 
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4 |V] File And Storage Services (Installed 


zal |a File and iSCSI Services (Installed 


v| File Server (Installed 


BranchCache for Network Files 


Data Deduplication 


DFS Namespaces 
DFS Replication 


a |] File Server VSS Agent Service 
iSCSI Target Server 


10. When the installation is finished, click Close and restart the server. 


CONFIGURE QUOTA TEMPLATES 


11. Now that File Server Resource Manager role is installed, it will be configure by 
clicking on Tools and selecting File Server Resource Manager from the drop 
down list. 


mo f Manage Tools View Help 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 
Active Directory Users and Computers 
ADSI Edit 

Component Services 

Computer Management 

Defragment and Optimize Drives 
DHCP 

DNS 


Event Viewer 


File Server Resource Manager 
Group Policy Management 
iSCSI Initiator 


Local Security Policy 


12. Expand Quota Management in the left-hand pane and click on Quota 
Templates. 


13. Under the Actions pane (far right) click Create Quota Template. 


14. Enter a template name, such as Faculty Home Directory Limits or Student Home 
Directory Limits. 


15. Enter the limit size and select either Hard quota or Soft quota. 


16. Email notifications to either the user or network administrative staff can be 
enabled by clicking on the Add button in the Notification threshold section. 


17. Click OK to save the Quota Template. 
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APPLY QUOTA TEMPLATE TO DIRECTORY 
18. Under the Quota Management section of the left pane, click on Quotas. 
19. Right-click Quotas and select Create Quota. 


20. Click the Browse button to select the directory that you wish to apply the quota 
limit to. 


21. Select the following quota type: 


Create quota on path — This will apply the space limitation to ALL files and 
folders within the parent directory. 


**This option should be used for folders such as Yearbook Staff or Multimedia 
class where multiple users save to the same folder. 


Auto apply template and create quotas on existing and new subfolders — This 
will apply the template to the subfolders within the parent folder. 


**This option should be used for applying limits on home directory folders and 
is automatically applied to any new folders created. This method would allow 
you to have your Faculty-Homes and Student-Homes parent folders both on 
their own volume or you can also place them on the Data volume with the rest 
of your network shares. 


22. Select the Quota Template to be used from the drop-down menu under Derive 
properties from this quota template and click Create. 


Quota path: 
C:\Faculty-Homes Browse... 


© Create quota on path 
(@) Auto apply template and create quotas on existing and new subfolders 
Quota properties 


You can either use properties from a quota template or define custom 
quota properties. 


How do you want to configure quota properties? 
© Derive properties from this quota template (recommended): 


Faculty Home Directory Limits v 


Summary of quota properties: 
=|- Auto Apply Quota: C:\Faculty-Homes 
Source template: Faculty Home Directory Limits 
Limit: 1.00 GB (Hard) 
Notification: 1 
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FINE-GRAINED PASSWoRD Policies (ACT-723) 


One of the nice features introduced in Windows Server 2012 AD DS is the ability to 
configure fine grained password policies through GUI. 


Fine grained password policies allow Network Administrators to configure multiple 
password policies within a single domain which can be used to apply different 
restrictions for password and account lockout policies to different sets of users and 


groups. 
Policy Name Faculty Password Policy Students Password Policy 
Precedence 1 1 
Group Name Faculty/Staff Students 
Minimum Password Length 8 8 
Enforce Password History 5 (Recommended) 5 (Recommended) 
Minimum Password Age 1 1 
Maximum Password Age 90 180 


To configure fine-grained password policies as per the table above (ACT723 - K12 State 
Security Policies), use the following steps: 


1. Launch Server Manager. 


2. Click on Tools and select Active Directory Administrative Center (ADAC) from 


the drop down list. 


File and Storage 


Services 


Manageability 


Events 


Services 


Performance 


BPA results 


Om 4 


Manage 


Active Directory Administrative Center 


Tools View Help 


Ja Active Directory Domains and Trusts 


Active Directory Module for Windows PowerShell 
Active Directory Sites and Services 


ADS! Edit 
Component Services 


Computer Management 


Active Directory Users and Computers 


È Defragment and Optimize Drives 


DNS 

Event Viewer 

Group Policy Management 
iSCSI Initiator 


3. When ADAC opens, change the view from List view to Tree View 
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© = 


Active Directory Administra 


B: Active Directory Adminis... < 
SB; — WELCOME TO AC 
i= vicw 


> igi school (local) 
> MB Dynamic Access Control 


LEARN MORE 


2 Global Search 


4. Expand the Domain name and navigate to System and then Password Settings 


Container. 


~ (ZÆ) | Manage Help 


H Active Directory Adminis... < System (25) Tasks 
E ' Filter 2 @~ @-~ E 
mie Password Settings Container a 
a Moit Name Type Description New > 
Yt > Mi builtin WM Default Domain Policy Domain Po... a] Delete 
> El Computers B Dfs-Configuration dfsConfigu... a 
e BE Custom Security Groups E DFSR-GlobalSettings msDFSR-Gl.. Properties 
> Bi Domain Controllers MB DomainUpdates Container System bi 
> B Domain Member Servers MM File Replication Service FRS Settings | New 
> Bi Faculty È FileLinks fileLinkTrac... | Delete 
> fll ForeignSecurityPrincipals im PP Security tuitis ees 
P Mi LostAndFound B Meetings J Container | Properties 
P Ill Managed Service Accounts Èm MicrosoftDNS Container 


> [MB NTDS Quotas 


ord Settings 


> lll Program Data ÈE Policies Container 
> Bi Students Mm PsP: msimaging... 
> HM RAS and IAS Servers Acces... Container ¥ 


Ye > MB TPM Devices 
> Ml Users 
> B Workstations 


> fll Dynamic Access Control 
A Global Search 


Password Settings Container 


Object class: ~msDS-PasswordSettingsContainer 


Description: 


Summary 


WINDOWS POWERSHELL HISTORY 


Modified: 


5. Right-click on Password Settings Container, select New and then Password 


Settings. 
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6. Specify the password policy settings for each of the required policies referenced 
in table. 


Create Password Settings: Faculty Password Policy SECTIONS _¥ 


Password Settings $ Password Settings 

Directly Applies To 
i Name: IK Faculty Password Policy Password age options: 

Precedence: * 41 vV] Enforce minimum password age 

User cannot change the password withi... 


V| Enforce minimum password length 
Minimum password length (characters): 9% 8 V] Enforce maximum password age 
User must change the password after (... 


V] Enforce password history 
Number of passwords remembered: * 5 Enforce account lockout policy: 
Number of failed logon attempts allowed: 


V| Password must meet complexity requirements 


Reset failed logon attempts count after (m... 
Account will be locked out 
@F 


Store password using reversible encryption 


V] Protect from accidental deletion 


Description: 


| Directly Applies To 


Name 


(A) More Information 


7. After the attributes for the password policy has been filled in, click Add to link 
created policy to the required security group and click on OK twice. 


=- 0| x 
Create Password Settings: Faculty Password Policy Tasks v] [SECTIONS ¥ 
= _ |a 
Password Settings | Password Settings 0 F 
Directly Applies To 
Name: IÆ Faculty Password Policy Password age options: 
Precedence: * 11 | Enforce minimum password age 
J] Enforce minimum password length User cannot change the password withi... $ 1 
Minimum password length (characters): Œ 8 v] Enforce maximum password age 
J] Enforce password history User must change the password after (... $ 90 
Number of passwords remembered: * 5 Enforce account lockout policy: 
V] Password must meet complexity requirements Number of failed logon attempts allowed: 9% 
Reset failed logon attempts count after (m... 3 30 
count will be locked out z 
© Fora x 30 
Select this object type: N th 
Users or Groups| 
From this location: 
school local 
Enter the object names to select (examples): A 
Faculty 


(N) More Information OK 


Cancel 


**Repeat steps 5 — 7 for Students password policy 
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SOME COMMON K12 Group POLICIES 


RETAIN SECURITY EVENT LOG FOR 90 Days GROUP POLICY 
1. Launch Server Manager. 


2. Click on Tools and select Group Policy Management from the drop down list. 


x © | r Manage Tools View Help 


Active Directory Administrative Center 
Active Directory Domains and Trusts 
Active Directory Module for Windows PowerShell 


Active Directory Sites and Services 

File and Storage Active Directory Users and Computers 
Services ADSI Edit 
Manageability Component Services 
Béis Computer Management 

. N Defragment and Optimize Drives 
Services DNS 
Performance We Viewer 
BPA results roup Policy Management 


iSCSI Initiator 
3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Default 
Domain Policy. 


5. Right-click the Default Domain Policy and click Edit. 


Fe 
ią File Action View Window Help 
e |m A| B 
xX Group Policy Management 


Group Policy Managemer 


4 A Forest: school.local [ 
4 È Domains maal- -e 
4 3 school.local Name fi 
=| Default Domain Policy L LÀ Forest: schoolocal__ 
b Custom Security Grou Edit... 
b Domain Controllers ey 
p Domain Member Ser y] Link Enabled 
> fil Faculty Save Report... 
b Students 
b Workstations New Window from Here 
p [$ Group Policy Objects Delete 
> WMI Filters 
> m Starter GPOs mame 
b a Sites Refresh 
a9 Group Policy Modeling Help 


TÈ Group Policy Results 
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6. Expand Computer Configuration > Policies > Windows Settings > Security 
Settings and select Event Log. 


7. Set the policy setting Retain Security Log to 90 days. You will automatically 
prompted to change the Retention method to days. Click OK. 


8. Set the Maximum Security Log Size to 131072 kilobytes (128MB). 


File Action View Help 
e| 2m] XE B| am 


4 (© Computer Configuration Policy 


a 


Policy Setting 


4 F} Policies =|| Li Maximum application log size —. Defined 
b E] Software Settings Maximum security log size 131072 kilobytes 
4 (>) Windows Settings 
b (5) Name Resolution Policy 
(2) Scripts (Startup/Shutdowr 
4 EA Security Settings = 
b 3 Account Policies 
b jj Local Policies 


J| Event Log ies i a ne r 
b DA Restricted Groups WH) ses nae aa ae: at Define 
> TÄ System Services Retention method for application log Not Defined 


p fla Registry i] Retention method for security log By days 


Maximum system log size Not Defined 
Prevent local guests group from accessing application log Not Defined 
2] Prevent local guests group from accessing security log Not Defined 
Prevent local guests group from accessing system log Not Defined 
Uy) Retain application log Not Defined 


p DÀ File System Retention method for system log Not Defined 
b T Wired Network (IEEE 3 
b D Windows Firewall with 
E Network List Manager 
b dal Wireless Network (IEEE y 
Se 


AUTO-BACKUP AND CLEAR EVENT LOGS (AT LEAST WINDOWS VISTA) 


9. Expand Computer Configuration > Policies > Administrative Templates > 
Windows Components > Event Log Service and select Security. 


10. Enable the Backup log automatically when full setting. 


11. Close the Group Policy Management Editor. 
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SECURITY EVENT AUDITING — SECURITY EVENT LOG CONTENTS 


1. Launch Server Manager. 
2. Click on Tools and select Group Policy Management from the drop down list. 
3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Default 
Domain Policy. 


5. Right-click the Default Domain Policy and click Edit. 


6. | Expand Computer Configuration > Policies > Windows Settings > Security 
Settings > Local Policies and select Audit Policy. 


7. Enable auditing for the following Policy Settings: 


Audit Account Logon Events — (Success AND Failure) 
Audit Account Management — (Success) 

Audit logon event — (Success AND Failure) 

Audit policy change — (Success) 


Qaoo0 


File Action View Help 
e| äm] XOs| aa 


4 @& Computer Configuration Policy 


Gi Policy Setting 


a T] Policies 
b 1D) Software Settings 
a Windows Settings 
b (9) Name Resolution Policy 
l] Scripts (Startup/Shutdown) 
4 & Security Settings 
D gi Account Policies 
4 | Local Policies 
p Gj Audit Policy ii 
2 b qj User Rights Assignment} 
b i Security Options | 
b | Event Log 
p DÀ Restricted Groups 
p DA System Services 
> ig Registry 
> (a File System i 
b iy Wired Network (IEEE 802.3) 
p D] Windows Firewall with Advi 
E Network List Manager Polic 
b Ei Wireless Network (IEEE 802, 
p ©) Public Key Policies 
b D Software Restriction Policies 


p D] Network Access Protection Y | 


> 


Audit account logon events 
Jie) Audit account management 

Audit directory service access 
x] Audit logon events 
5] Audit object access 

| Audit policy change 
Audit privilege use 
Audit process tracking 


[H Audits 


Success, Failure 
Success 

Not Defined 
Success, Failure 
Not Defined 
Success 

Not Defined 
Not Defined 
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8. 


Close the Group Policy Management Editor. 


GROUP POLICY FOR LOGON BANNER 


8. 


Launch Server Manager. 


Click on Tools and select Group Policy Management from the drop down list. 


Expand Forest: yourdomain.local. 


Expand Domains and then expand yourdomain.local and navigate to Default 


Domain Policy. 


Right-click the Default Domain Policy and click Edit. 


Expand Computer Configuration > Policies > Windows Settings > Security 
Settings > Local Policies and select Security Options. 


Navigate to the following options and Enable them: 


a. Interactive logon: Message text for users attempting to log on. 
b. Interactive logon: Message title for users attempting to log on. 


File Action View Help 


e| ar] Xs| am 


[| Scripts (Startup/Shutdown) 
4 EN Security Settings 
> E=] Account Policies 
4 qi Local Policies 
b gq Audit Policy 
b E] User Rights Assignment: 


T È] Security Options 
> a Event Log 


p DÀ Restricted Groups 

p DA System Services 

p EÀ Registry 

b DÀ File System 

> w Wired Network (IEEE 802.3) 

p D] Windows Firewall with Advz 
E Network List Manager Polic 

b ig Wireless Network (IEEE 802, 

b (5) Public Key Policies 

> (>) Software Restriction Policie: 


p D] Network Access Protection Y 
< m -d < 


4 (© Computer Configuration ^ || Policy 


a 


Interactive logon: Number of previous logons to cache (in c.) 


Interactive logon: Prompt user to change password before e... 
Interactive logon: Require Domain Controller authentication... 
i] Interactive logon: Require smart card 


Interactive logon: Smart card removal behavior 
Microsoft network client: Digitally sign communications (al... 


.| Microsoft network client: Digitally sign communications (if... 
Microsoft network client: Send unencrypted password to thi... 
«| Microsoft network server: Amount of idle time required bef... 
Microsoft network server: Attempt S4U2Self to obtain claim ... 
£] Microsoft network server: Digitally sign communications (al... 
Microsoft network server: Digitally sign communications (if ... 
Microsoft network server: Disconnect clients when logon ho... 
Microsoft network server: Server SPN target name validation... 
«| Network access: Allow anonymous SID/Name translation 


Network arcar: Na not alles anonumour enumeration of S 
m 


Policy Setting 


1.) Interactive logon: Message text for users attempting to logon Not Defined 
| Interactive logon: Message title for users attempting to logon Not Defined 


ot Defined 
NoWQefined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Disabled 
Mot Defined 


a 
4 F Policies Interactive logon: Do not display last user name Not Defined 
> E] Software Settings Us| Interactive logon: Do not require CTRL+ALT+DEL Not Defined 
4 E] Windows Settings Us) Interactive logon: Machine account lockout threshold fot Defined 
b [E] Name Resolution Policy Interactive logon: Machine inactivity limit Not Defined 


Close the Group Policy Management Editor. 
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LOCKING SCREEN SAVER GROUP POLICY 


1. Launch Server Manager. 
2. Click on Tools and select Group Policy Management from the drop down list. 
3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Default 
Domain Policy. 


5. Right-click the Default Domain Policy and click Edit. 


6. Expand User Configuration > Policies > Administrative Templates > Control 
Panel and select Personalization. 


7. Set the Enable Screen Saver policy to Enabled. 
8. Set the Password Protect the Screen Saver policy to Enabled. 


9. Set the Screen Saver timeout to Enabled and to a recommended time of 900 
seconds (15 minutes). 


File Action View Help 

e| 2m] e| hm T 

15} Default Domain Policy [WIN-DC1.SCHOOL.LC ^ ||| Setting State 

> (& Computer Configuration li] Prevent changing color scheme Not configured 


4 {j% User Configuration | Prevent changing theme Not configured 


4 > Policies liz] Prevent changing visual style for windows and buttons Not configured 
b L Software Settings 


b (2) Windows Settings 


2 L] Prohibit selection of visdal style font size Not configured 
4 |) Administrative Templates: Policy d z í Š 
U5) Prevent changing color and appearance Not configured 
4 (>) Control Panel 


E Add or Remove Programs 
E Display 
|) Personalization 
C Printers 
E Programs 
b L Regional and Language Opi 
b ©) Desktop Screen saver timeout 
p 2) Network l] Force specific screen save Not configured 
E Shared Folders [| Load a specific theme Not configured 
b D] Start Menu and Taskbar l] Force a specific visual style file or force Windows Classic Not configured 
b 2) System 
b ©) Windows Components 
CEs All Settings 


li] Enable screen saver Enabled 


li] Prevent changing desktop background Not configured 
L] Prevent changing desktop icons Not configured 
li] Prevent changing mouse pointers Not configured 
l] Prevent changing screen saver Not configured 
LE) Prevent changing sounds Not configured 
EE) Password protect the screen saver Enabled 


ho) Preferences 
m 


peA N 
\ Extended A Standard f: 


10. Close the Group Policy Management Editor. 
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FOLDER REDIRECTION GROUP POLICY 


1. Launch Server Manager. 
2. Click on Tools and select Group Policy Management from the drop down list. 
3. Expand Forest: yourdomain.local. 


4. Expand Domains and then expand yourdomain.local and navigate to Group 
Policy Objects. 


5. Right-click on the Group Policy Objects and then select New. 
6. Name the new group policy Folder Redirection Policy and click OK. 


7. Expand Group Policy Objects. Right-click on the newly created Folder 
Redirection Policy and click Edit to open the Group Policy Editor. 


8. Expand User Configuration > Policies > Windows Settings and select Folder 
Redirection. 


9. Right click on Documents and click Properties. 
10. Change the setting to Basic — Redirect everyone’s folder to the same 


location and set the Target folder location to Redirect to the user’s home 
directory. 


Target | Settings | 


C You can specify the location of the Documents folder. 


Setting: | Basic - Redirect everyone's folder to the same location X 


This folder will be redirected to the specified location. ya 


Target folder location 


[Redirect to the user's home directory x| 


Note: This setting ignores the value of the ‘Grant the user exclusive 
fights to Documents’ option on the Settings page. 


E 
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11. Click the Settings tab and check the box Also apply redirection policy to 
Windows 2000, Windows 2000 Server... 


| Target | Settings | 


Fa Select the redirection settings for Documents. 


V Grant the user exclusive rights to Documents. 
J¥ Move the contents of Documents to the new location. 


IV ‘Also apply redirection policy to Windows 2000, Windows 2000; 
Server, Windows XP, and Windows Server 2003 operating : 


Policy Removal 
(© Leave the folder in the new location when policy is removed. 


© Redirect the folder back to the local userprofile location when 
policy is removed. 


12. Click Apply and if prompted to also redirect Pictures, Music, etc. to the Home 
Directory, click Yes. Click OK. 


13. Close the Group Policy Management Editor. 


RESTRICT COMPUTERS TO FACULTY USE ONLY 


This policy can be used to restrict access for students to log on to faculty machines. This 
policy will be based off of the Faculty User group and can be adjusted to meet the group 
of users that meets your needs. 


1. Launch Server Manager. 


2. Click on Tools and select Active Directory Users and Computers from the 
drop down list. 


3. Create a security group called Faculty Use Only Computers under Custom 
Security Groups Organization Unit (OU). 


4. Under Server Manager, click on Tools and select Group Policy Management 
from the drop down list. 
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10. 


11. 


12. 


13. 


14. 


15. 


16. 


Expand Forest: yourdomain.local. 


Expand Domains and then expand yourdomain.local and navigate to Group 
Policy Objects. 


Right-click on the Group Policy Objects and then select New. 
Name the new group policy Faculty Use Only Computers and click OK. 


Expand Group Policy Objects and select the newly created Faculty Use Only 
Computers policy. 


In the right-hand pane, click on the Scope tab. Under Security Filtering list, 
select Authenticated Users and then click the Remove button. 


Click the Add button, enter the group name Faculty Use Only Computers and 
then click the OK. 


Right-click on the newly created Faculty Use Only Computers policy and 
select Edit. 
Expand Computer Configuration > Policies > Windows Settings > Security 


Settings > Local Policies and select User Rights Assignment. 


In the right-hand window, double-click on Allow log on locally. 


Check the box for Define these policy settings. 


Click the Add User or Group button and add Domain Admins, 
Administrators, and Faculty to the list. Click Apply and OK. 


Arkansas Department of Information Systems — APSCN LAN Support 
Printed on 5/14/2014 


62|Page 


File Action View Help 
e+ alm] XEL am 
4 (A Computer Configuration 
4 ©) Policies 
b E] Software Settings 
4 C Windows Settings 
b £] Name Resolution Policy 
(=) Scripts (Startup/Shutdown) 
4 Dy Security Settings 
b J Account Policies 
4 qj Local Policies 
b qj Audit Policy 
b Gj User Rights Assignment 


p qj Security Options 
b i Event Log 
p DÀ Restricted Groups 
b DÀ System Services 


p DÀ Registry 
p DÀ File System 


b Eg Wired Network (IEEE 802.3) Pol 
> E Windows Firewall with Advanc 
E Network List Manager Policies 
b Za Wireless Network (IEEE 802.11) 
b E Public Kev Policies x 
i 


> 


Policy * 
Access Credential Manager as a trusted caller 
Access this computer from the network 
Act as part of the operating system 
Add workstations to domain 


Adjust memory quotas for a process 


Allow log on through Remote Desktop Services 
Back up files and directoNes 
Bypass traverse checking 


Change the system time 
Change the time zone 

Create a pagefile 

Create a token object 

Create global objects 

Create permanent shared objects 
Create symbolic links 

Debug programs 

Deny access to this computer from the network 
Deny log on as a batch job 

Deny log on as a service 


Policy Setting 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 


Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 
Not Defined 


Rice niga 


17. Close the Group Policy Management Editor and link the policy to Faculty 


Workstations OU. 


**Once this policy is created and applied, add computers to the Faculty Use 
Only Computers security group to apply the policy. A reboot is required 


after the computer is added to and removed from the group to 


enforce/remove the policy. 


REFRESH GROUP POLICY SETTINGS WITH GPUPDATE.EXE 


Syntax 


Gpupdate [/target:{computer | user}] [/force] [/wait:va/ue] [/logoff] [/boot] 


Parameters 
/target:{computer | user} 
Processes only the computer settings or the current user settings. By default, 


/force 


both the computer settings and the user settings are processed. 


Ignores all processing optimizations and reapplies all settings. The Group Policy 
engine on the client tracks versions of the GPOs that are applied to the user and 
computer. By default, if none of the GPO versions change and the list of GPOs 
remains the same, the Group Policy engine will not reprocess policy. This option 
overrides this optimization and forces the Group Policy engine to reprocess all 


policy information. 


/wait:value 
Number of seconds that policy processing waits to finish. The default is 600 
seconds. 0 means "no wait"; -1 means "wait indefinitely." 
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/logoff 
Logs off after the refresh has completed. This is required for those Group Policy 
client-side extensions that do not process on a background refresh cycle but that 
do process when the user logs on, such as user Software Installation and Folder 
Redirection. This option has no effect if there are no extensions called that 
require the user to log off. 

/boot 
Restarts the computer after the refresh has completed. This is required for those 
Group Policy client-side extensions that do not process on a background refresh 
cycle but that do process when the computer starts up, such as computer 
Software Installation. This option has no effect if there are no extensions called 
that require the computer to be restarted. 

nh 


Displays help at the command prompt. 


Examples 
The following examples show how you can use the gpupdate command: 


° gpupdate 

° gpupdate /target:computer 
° gpupdate /force /wait:100 
° gpupdate /boot 
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UPDATE GROUP POLICY SETTINGS FROM GROUP POLICY MANAGEMENT CONSOLE 


A new feature introduced with Windows Server 2012 is that from within the Group 
Policy Management Console. The update process also notifies how many computer 


objects will be affected by the update operation. 


This can be accomplished by Right-clicking an Active Directory Organization Unit (OU) 
select Group Policy Update. 


ix Group Policy Management 
4 & Forest: school.local 
4 Domains 
4 &y school.local 


tm) Default Domain Policy 
b E Custom Security Groups 


p> | a) Domain Contr 
b E Domain Memb 
b Faculty 
b E Students 
b E Workstations 
p LẸ Group Policy Q 
p E WMI Filters 
p ( Starter GPOs 
b (ff Sites 
{#2 Group Policy Modelin: 
TÈ Group Policy Results 


Group Policy 


Contents | Delegation | 


Objects in school.local 


Name = GPO Statu: 
|} Default Domain Controllers Policy Enabled 
{5} Default Domain Policy Enabled 
ael (Í| | Folder Redirection Policy _ _Enabled 
Create a GPO in this domain, and Link it here... jed 
Link an Existing GPO... 


Block Inheritance 


Group Policy Update... 


Group Policy Modeling rae as 


New Organizational Unit 
New Window from Here 


Delete 
Refresh 


Properties 


Help 


| 


You have chosen to force a Group Policy update on all computers within Domain, 
Controllers and all subcontainers. IF you choose 'Yes' below, User and Computer 
policy settings will be updated on: 


1 Computer 


Are you sure you want to update policy for these computers? 


Group Policy update will be forced on all computers within Domain Controllers and all subcontainers 
within the next 10 minutes. Both user and computer policy settings will be refreshed. 


Completed (1 of 1) 


Computer Name 
Succeeded (1) 
WIN-DC 1.school.local 
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TROUBLESHOOTING WINDOWS SERVER 2012 


DISABLING THE SHUTDOWN EVENT TRACKER 


To turn off the Shutdown Event Tracker, navigate to the following key in your registry: 
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Reliability 

**Creation of the Reliability is required 

Create anew DWORD with the following values: 


Value Name: ShutdownReasonOn 
Value: O (HEX) 


File Edit View Favorites Help 
a- do HKEY_LOCAL_MACHINE Type Data 
b- BCD00000000 a REG_SZ (value not set) 
p-d HARDWARE 3 REG_DWORD 0x00000000 (0) 
p-d SAM 
Ji SECURITY 
a- J) SOFTWARE 
pb»), ATI Technologies 
p-d Classes 
p-d Clients 
b- J) Microsoft 
pai ODBC 
a-di Policies 
a-d Microsoft 
p-d Cryptography 
p-d SystemCertificates 
bj) Windows 
a-di Windows NT 
p-b Terminal Services 
d Windows File Protection 


i |) Reliabity 
| PégisteredApplications 
p- ThinPrint 


b. VMware Inc. vist 
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\ Windows NT\Reliabity 


**The change will take place immediately no reboot is required. 
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SET TIME SOuRCE TO DIS 


First, locate your PDC Server. Open command prompt on any server and type: 
netdom /query fsmo 

Log in to your PDC Server and open the command prompt. 

Stop the W32Time service 

net stop w32time 


Configure the external time sources, type: 


w32tm /config /syncfromflags:manual /manualpeerlist:”165.29.1.11,165.29.1.12” 


Make your PDC a reliable time source for the clients. Type: 
w32tm /config /reliable:yes 

Start the w32time service: 

net start w32time 


The windows time service should begin synchronizing the time. You can check 
the external NTP servers in the time configuration by typing: 


w32tm /query /configuration 


**Check the Event Viewer for any errors. 
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ACTIVE DIRECTORY MAINTENANCE 


DELETE DEAD/TOMB-STONED DOMAIN CONTROLLER FROM ACTIVE DIRECTORY 


1. From another Domain Controller within the domain, open a command prompt 
and type ADSIEDIT.MSC 


2. Inthe ADSI Edit window, click Action > Connect To. 


3. In the Select a Well Known Naming Context drop-down menu, select 
Configuration, and click OK. 


Connection Settings xj 


Name: | Configuration 


Path: | LDAP://DC1.school.local/Configuration 


M Connection Point 
© Select or type a Distinguished Name or Naming Context: 


@ Select a well known Naming Context: 


Configuration v 


ya 
© Select or type a domain or server: (Server | Domain [:port]) 


@ Default (Domain or server that you logged in to) 
J” Use SSL-based Encryption 


Advanced... | =] Cancel | 


REMOVING THE SERVER FROM THE ACTIVE DIRECTORY SITE 


4. Navigate to 
Configuration\CN=Configuration\CN=Sites\CN=<SiteName>\CN=Servers\CN=<Se 
rverName>, where <SiteName> and <ServerName> correstpond to the location 
of the dead domain controller. 


5. Right-Click on CN=NTDS Settings and click Delete, when prompted to delete the 
container and everything in it, click Yes. 
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x 


À Do you want to delete this container and everything in it? 
"| 


6. — Right-Click CN=Server Name that you are removing and click Delete. Click Yes to 
confirm the delete. 


REMOVING THE SERVER FROM THE FILE REPLICATION SERVICE 
7. Inthe ADSI Edit window, click on ADSI Edit in the left-hand pane. 
8. Click Action > Connect To. 


9. In the Select a Well Known Naming Context drop-down menu, select Default 
naming context, and click OK. 


10. Navigate to Configuration\CN=System\CN=File Replication Service\CN=Domain 
System Volume(SYSVOL share)\CN=<ServerName> where <ServerName> 
correstpond to the location of the dead domain controller. 

11. Right-click the CN=<ServerName>, and select Delete. 

12. Click Yes to delete the object. 

REMOVING THE SERVER FROM ACTIVE DIRECTORY SITES AND SERVICES 

13. Open Active Directory Sites and Services. 

14. Expand Sites. 

15. Expand the AD Site that the dead Domain Controller was a member of. 

16. Expand the dead Domain Controller. 


17. Right-click NTDS Settings and click Delete. 


18. When prompted, click Yes. 
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19. 


20. 


You will receive the Confirm Subtree Deletion box as shown below. Check the 
Use Delete Subtree server control option and click Yes. 


t} 
Confirm Subtree Deletion x| 


Object DC2 contains other objects. Are you sure you 
—*~ want to delete object DC2 and all of the objects it 
contains? 


If you cancel the running deletion, the objects deleted thus far 
will not be recovered. 


WARNING: if you select Use Delete Subtree server control 
check box, all objects within the subtree, including all 
delete-protected objects, will be deleted, and the deletion 
cannot be 


canceled, 
ee (x acd 


Close Active Directory Sites and Services. 


REMOVING THE SERVER FROM ACTIVE DIRECTORY USERS AND COMPUTERS 


21. 


22. 


23. 


24. 


25. 


26. 


Open Active Directory Users & Computer. 

Browse to the Domain Controller Computer object, right-click and select Delete. 
When prompted to confirm the deletion, select Yes. 

Another confirmation box will pop up. 

Check the box next to “This Domain Controller is permanent...” and click Delete. 


Close Active Directory Users & Computers 


**DNS may need to be verified to make sure that there are not any records tied to the 
server that was removed from the domain. 
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MANUALLY SEIZE FSMO ROLES 
To seize the FSMO roles by using the Ntdsutil utility, follow these steps: 


e Log onto a Windows Server-based member computer or Domain controller that 
is located in the forest where FSMO roles are being seized. 


**/t is recommend that you log on to the domain controller that you are assigning 
FSMO roles to. 


**The logged-on user should be a member of the Enterprise Administrators group to 
transfer schema or domain naming master roles, or a member of the Domain 
Administrators group of the domain where the PDC emulator, RID master and the 
Infrastructure master roles are being transferred. 

e Click Start, click Run, type ntdsutil in the Open box, and then click OK. 

e Type roles, and then press ENTER. 

e Type connections, and then press ENTER. 

e Type connect to server servername, and then press ENTER. 
**Servername is the name of the domain controller FSMO role is being transferred to. 

e Atthe server connections prompt, type q, and then press ENTER. 

e Type seize role, where role is the role that you want to seize. 
**For a list of roles that you can seize, type ? at the fsmo maintenance prompt, and 
then press ENTER, or see the list of roles at the end of this section. For example, to 
seize the RID master role, type seize rid master. The one exception is for the PDC 
emulator role, whose syntax is seize pdc, not seize pdc emulator. 


e Atthe fsmo maintenance prompt, type q, and then press ENTER. 


e Type q, and then press ENTER to quit the Ntdsutil utility. 
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How TO RESET THE DIRECTORY SERVICES RESTORE MODE ADMINISTRATOR ACCOUNT PASSWORD 


24. Click, Start, click Run, type ntdsutil, and then click OK. 
25.  Atthe Ntdsutil command prompt, type set dsrm password. 
26. Atthe DSRM command prompt, type one of the following lines: 
a. Toreset the password on the server on which you are working, type: 
reset password on server null 


**The null variable assumes that the DSRM password is being reset on the local 
computer. Type the new password when you are prompted. 


**No characters appear while you type the password. 
b. To reset the password for another server, type: 
reset password on server servername 


**where servername is the DNS name for the server on which you are resetting the 
DSRM password. 


c. Type the new password when you are prompted. 


27. Atthe DSRM command prompt, type q. 


28. Atthe Ntdsutil command prompt, type q to exit. 
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Active Directory, Microsoft, MS-DOS, Visual Basic, Visual Studio, Windows, 
Windows NT, Active Directory, and Windows Server are either registered trademarks or 
trademarks of Microsoft Corporation in the United States and/or other countries. 


This product contains graphics filter software; this software is based, in part, on the 
work of the Independent JPEG Group. 


All other trademarks are property of their respective owners. 
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